How to fix CVE-2026-26308?

Within 24 hours: Inventory all Envoy deployments and verify affected versions (pre-1.37.1, pre-1.36.5, pre-1.35.8, pre-1.34.13). Within 7 days: Apply available vendor patches to all affected instances, starting with production environments. Within 30 days: Complete patching across all Envoy deployments in development, staging, and non-production environments; conduct access log review for potential exploitation attempts.

Is Envoy affected by CVE-2026-26308?

Envoy proxy deployments are vulnerable to authentication bypass through a logic flaw in the RBAC filter when processing HTTP headers with multiple values, potentially allowing unauthorized access to protected resources.

CVE-2026-26308

HIGH

2026-03-10 [email protected]

GHSA-ghc4-35x6-crw5

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 11, 2026 - 16:23 vuln.today

Public exploit code

Patch Released

Mar 11, 2026 - 16:23 nvd

Patch available

CVE Published

Mar 10, 2026 - 20:16 nvd

HIGH 7.5

Description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies-specifically "Deny" rules-by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Analysis

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating each value individually, allowing attackers to bypass "Deny" access control policies through header manipulation. This vulnerability affects Envoy versions prior to 1.34.13, 1.35.8, 1.36.5, and 1.37.1, and public exploit code exists. …

Remediation

Within 24 hours: Inventory all Envoy deployments and verify affected versions (pre-1.37.1, pre-1.36.5, pre-1.35.8, pre-1.34.13). Within 7 days: Apply available vendor patches to all affected instances, starting with production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

CVE-2026-26308 vulnerability details – vuln.today

Back

CVE-2026-26308

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-26308

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code